I would like to announce the release of MediaWiki 1.20.1, 1.19.3 and 1.18.6. These releases fix 3 security related bugs that could affect users of MediaWiki. Download links are given at the end of this email . Please note that support for the MediaWiki 1.18 branch ends this month.

* Wikipedia user PleaseStand discovered that a new API feature in MediaWiki 1.20 allowed for HTML code to be injected into the "editfont" option. Since this option only affects the current user, exploitation for XSS is difficult. However, users of MediaWiki 1.20 are encouraged to upgrade. <https://bugzilla.wikimedia.org/show_bug.cgi?id=42202>

* Wikipedia user PleaseStand discovered that a PCRE backtrack limit could easily be exceeded, causing recent changes and history pages to fail to display. Since these pages are often used for fighting spam and vandalism, public wikis are encouraged to update. <https://bugzilla.wikimedia.org/show_bug.cgi?id=41400>